CVE-2023-2744

HIGH

WP ERP < 1.12.4 - Authenticated SQL Injection via ERP Accounting People Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-2744. PoCs published by pashayogi.

AI-analyzed exploit summary This repository contains a functional Python script that demonstrates a time-based blind SQL injection vulnerability in WP ERP's Accounting module via the 'type' parameter in the '/wp-json/erp/v1/accounting/v1/people' endpoint. The PoC measures response time to confirm vulnerability.

Description

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Exploits (1)

nomisec WORKING POC 1 stars
by pashayogi · poc
https://github.com/pashayogi/CVE-2023-2744

This repository contains a functional Python script that demonstrates a time-based blind SQL injection vulnerability in WP ERP's Accounting module via the 'type' parameter in the '/wp-json/erp/v1/accounting/v1/people' endpoint. The PoC measures response time to confirm vulnerability.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: WP ERP Accounting module <= 1.12.2
No auth needed
Prerequisites: WordPress site with vulnerable WP ERP plugin installed · Access to the target endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/435da8a1-9955-46d7-a508-b5738259e731

Scores

CVSS v3 7.2
EPSS 0.0261
EPSS Percentile 83.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

Status published
Products (1)
wedevs/wp_erp < 1.12.4
Published Jun 27, 2023
Tracked Since Feb 18, 2026